Advanced Security Rule For Streams and Private Apps
We have a requirement to have a security model where consumers are granted access to a core stream (i.e., Stream ABC) by applying for group membership (i.e., QLIKSENSE_ABC_CONSUMER). The users would have access to all the apps in the stream if they have membership to the corresponding consumer group.
However, we have a requirement to have certain apps within a stream be private. We would like the user to be required to be in the stream group as well as a private group to see these private apps (i.e., QLIKSENSE_ABC_PRIVATE_CONSUMER). We tried to write the following security rule, but it seems to not be working:
(user.environment.roles=resource.@Consumer and resource.@Hidden!="true")
(user.environment.roles=resource.@Consumer and resource.@Hidden="true" and user.environment.roles=resource.@Exception)
We are using SAML, so we pass through users' group memberships through an attribute called roles. We have a custom property called @Consumer which we apply to Streams and grant access if the @Consumer custom property matches one of the users' groups in the role attribute. In addition, we have a custom property on apps called @Hidden which we set to true if the app needs to be private and a custom property called @Exception to grant access to the private apps.
If there is a better way of accomplishing our requirements, please suggest as we really would like to get something working...